Open Stack

Hello.
I have a question about sharing one service function between multiple 
users.
Let's say there is a function which requires exactly two interfaces, 
ingress and egress, and is designed to serve multiple users through 
these interfaces.
There are a number of users who want to use this function between their 
vm and the Internet. For users it should be as transparent as possible, 
i.e. vm's IP address should not change and no new interfaces should be 
created. Each user has his own independent tenant, so I cannot just put 
all user vms into the SF's network.

Problem is, when I connect user's network and SF's network by a router 
or vm and setup networking-sfc, packets cannot reach SF because source 
vm is in a different network. If I include this router or vm into the 
chain, I need to setup default gateway and SNAT on it, but I'd like to 
avoid it. How do I use networking-sfc in this case?